Handling request from OpenSer in Freeradius - I need help
Hi
I have problem to properly handle OpenSer request in Freeradius.
When I switch on debug mode in freeradius I've got LISTING 1 (below).
In the first part of log we can see that INVITE message was received and
authorize_check (defined by _check_query ) SQL statement was called and I've
got proper result.
After that message was parsed and values from Digest-Attributes was moved to
named Digest- attributes e.g Digest-Method
In my radius solution I have to return to OpenSer few attributes when I
detect that Digest-Method is equal to INVITE. But I cannot return attributes
by authorize_check because when authotize_check db procedure is called
Digest-Method is not set (only I can see Digest-Attributes). After call to
authorize_check, freeradius parse request and I have complete set of values:
Digest-User-Name = "test001"
Digest-Realm = "server1.test.pl"
Digest-Nonce = "44b414bb1e6165386992a6c367a1ce2b1682ba32"
Digest-URI = "sip:[EMAIL PROTECTED]"
Digest-Method = "INVITE"
But after this part only one DB procedure is called: test.postauth()
(defined by postauth_query in postgres.sql) but this procedure cannot
return attributes - It can returns only one string.
I have questions:
- how to return list attributes when message is parsed ? Is it possible to
configure that radius will call sql statement after parsing a message
- how to access all Digest-Attrbute from unparsed message when I put
'%{Digest-Attributes}' in query I can see only first attribute
- Is possible to control order of parsing in my example orders is:
- receive of 'raw' request
- execution authorize check
- parsing of raw message (message "mod_digest: Converting
Digest-Attributes to something sane")
But in post
http://lists.freeradius.org/mailman/htdig/freeradius-users/2004-September/03
6519.html order is following
- receive of 'raw' request
- parsing of raw message (message "mod_digest: Converting
Digest-Attributes to something sane")
- execution authorize check
Do you know how to achieve last order ? Should I change something in conf.
files?
Part of my postgres.conf file:
authorize_check_query = "SELECT * FROM
test.authorize_check('%{SQL-User-Name}', '%{Digest-URI}',
'%{Service-Type}')"
postauth_query = "SELECT test.postauth('%{Digest-Method}',
'%{Digest-Attributes:-0}', '%{Digest-Attributes:-3}')"
LISTING 1
-
rad_recv: Access-Request packet from host 153.19.130.250:34032, id=245,
length=237
User-Name = "[EMAIL PROTECTED]"
Digest-Attributes = "\n\ttest001"
Digest-Attributes = "\001\026server1.test.pl"
Digest-Attributes = "\002*44b414bb1e6165386992a6c367a1ce2b1682ba32"
Digest-Attributes = "\004#sip:[EMAIL PROTECTED]"
Digest-Attributes = "\003\010INVITE"
Digest-Response = "1475e3bd94becc734d77893ddcd70046"
Service-Type = IAPP-Register
Sip-URI-User = "test001"
NAS-Port = 5060
NAS-IP-Address = 153.19.130.250
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 3
rlm_realm: Looking up realm "server1.test.pl" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: No such realm "server1.test.pl"
modcall[authorize]: module "suffix" returns noop for request 3
users: Matched entry DEFAULT at line 5
users: Matched entry DEFAULT at line 42
modcall[authorize]: module "files" returns ok for request 3
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user --> '[EMAIL PROTECTED]'
radius_xlat: 'SELECT * FROM test.authorize_check('[EMAIL PROTECTED]',
'', '')'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_postgresql: query: SELECT * FROM
test.authorize_check('[EMAIL PROTECTED]', '', '')
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat: ''
radius_xlat: ''
radius_xlat: ''
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns ok for request 3
modcall: leaving group authorize (returns ok) for request 3
rad_check_password: Found Auth-Type Digest
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_digest: Converting Digest-Attributes to something sane...
Digest-User-Name = "test001"
Digest-Realm = "server1.test.pl"
Digest-Nonce = "44b414bb1e6165386992a6c367a1ce2b1682ba32"
Digest-URI = "sip:[EMAIL PROTECTED]"
Digest-Method = "INVITE"
A1 = test001:server1.test.pl:gdfi
A2 = INVITE:sip:[EMAIL PROTECTED]
H(A1) = 1307e5525ca6a7907307ad0af15dbb42
H(A2) = 5bfbcc6c93b4debf70853f609176ff45 KD =
1307e5525ca6a7907307ad0af15dbb42:44b414bb1e6165386992a6c367a1ce2b1682ba32:5b
fbcc6c93b4debf70853f609176ff45
EXPECTED 1475e3bd94becc734d77893ddcd700
Re: Ignoring unconnected handle 4..
Thank You I figured it out.It's working now. On 7/11/06, Chris Carver <[EMAIL PROTECTED]> wrote: Abul Monsur Mannan wrote: > Hello FR users > > Can anyone here to light on me.My problem is -- > > [EMAIL PROTECTED] ~]# radtest rumen rumen1 localhost 1812 testing123 > Sending Access-Request of id 66 to 127.0.0.1 port 1812 > User-Name = "rumen" > User-Password = "rumen1" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1812 > Re-sending Access-Request of id 66 to 127.0.0.1 port 1812 > User-Name = "rumen" > User-Password = "rumen1" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1812 > > -- > > In radiusd -x command promp-- > > rad_recv: Access-Request packet from host 127.0.0.1:32769, id=66, > length=57 > User-Name = "rumen" > User-Password = "rumen1" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1812 > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 23 > modcall[authorize]: module "preprocess" returns ok for request 23 > modcall[authorize]: module "chap" returns noop for request 23 > modcall[authorize]: module "mschap" returns noop for request 23 > rlm_realm: No '@' in User-Name = "rumen", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 23 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 23 > radius_xlat: 'rumen' > rlm_sql (sql): sql_set_user escaped user --> 'rumen' > radius_xlat: 'SELECT id, UserName, Attribute, Value, op > FROM radcheck WHERE Username = 'rumen' ORDER BY > id' > rlm_sql (sql): Ignoring unconnected handle 4.. > rlm_sql (sql): Ignoring unconnected handle 3.. > rlm_sql (sql): Ignoring unconnected handle 2.. > rlm_sql (sql): Ignoring unconnected handle 1.. > rlm_sql (sql): Ignoring unconnected handle 0.. > rlm_sql (sql): There are no DB handles to use! skipped 5, tried to > connect 0 > modcall[authorize]: module "sql" returns fail for request 23 > modcall: leaving group authorize (returns fail) for request 23 > Finished request 23 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 23 ID 66 with timestamp 44b33d38 > Nothing to do. Sleeping until we see a request. > > > By the way ,I have username - rumen with password rumen1 in "radcheck" > table in my mysql DB. > > Thank You in advance. > - List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html For some reason your radius server is completely unable to connect to your mysql database. Look at the information you have configured in your sql configuration file (myssql.conf, sql.conf, etc depending on which you use) and verify it is correct. Try using the command line mysql client to connect to the mysql database you specify to ensure it should work properly. mysql -u -p -h radius Chris Carver Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with mac address authentication
Hi, I am new in this, I am looking for a tutorial that let me know how to configure freeradius with mac address authentication. Thanks, Carlos Rosero S. www.uaa.edu 787-834-9595 x2203 [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and router problem
Hello, I have in my LAN a AC Access Conroller (IP: 192.168.10.80; gw: 192.168.10.1 /83.B.C.D) which I authenticate on a freeradius via Internet (IP of this server: 63.E.F.G). My server receives : access-request from 63.E.F.G:10980 . and fact: sending access accept to 63.E.F.G: 10980 My problem is that: the response of the radius does not reach AC (IP 192.168.10.80) although the answer was indeed turned over to my router!!! Someone can help me? Please Thanks; MOM Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username in MySQL with regexp
On Monday 10 July 2006 04:16, christian meutes wrote: > Hey list, > > can anybody give me an example for this? > > > cheers, > > Christian Meutes > systems engineer My suggestion is to get it working with the flat users file first, then migrate the config to your MySQL users file. Start simple, then try to get the more complex configuration working. If you already have the regexp line written for your users file, please post it so we can recommend the best way to accomplish the same checks and replies in MySQL. Kevin Bonner pgpa3lB8xHEv8.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Autostart
may you have to do an "chkconfig radiusd add" first... [EMAIL PROTECTED] schrieb: Hi, I am rephrasing my question. I installed FreeRadius without rpm package on CentOS 4. I want FreeRadius to start automatically in background when System boots up. FreeRADIUS comes with some helpful example scripts etc. there is one for Redhat - which works on Fedora and should work on CentOS, simply copy the file (redhat/rc.radiusd-redhat) into the init.d directoryeg /etc/init.d/radiusd ..and then chkconfig radiusd on alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and UUNet dial up
Im having trouble configuring freeradius. Im going to give the full story, which might be too much detail but here goes... I have a radius server (freeradius v 0.7) working on an old box. I want to upgrade this to a new box with RHEL4 and Freeradius 1.0.1, that comes with RHEL4 now. The old configuration files would not just copy over, starting free radius gives errors with the dictionary files. Since I don't quite understand them, I thought better try to reconfigure the new version then just copy over configuration files. Now I have the new version running/authenticating. The problem is Im missing some data, I think. When I authenticate (using NTRadPing) off the old server, I get Sending authentication request to server 111.111.111.111:1812 Transmitting packet, code =1 id=4 length=67 received response from the server in 10 miliseconds reply packet code=2 id=4 length=174 response: Access-Accept ---attribute dump -- Service-Type=Framed Framed-Protocol=PPP Ascend-Data-Filter=\0x01\0x01\0x00\0x00\0x00\0x00\0x00\0x00\0x00 (repeated lines) Ascent-Assign-IP-Pool=0 When I try against the new one, I get only the lines to "--attribute dump--", but I do get a correct auth. I know that part works because if I change the uname/password to wrong, it doesnt work. So it is correctly checking against LDAP. But I get none of the lower lines. I know the process is not quite right as If I add the lines to my hints file (which exists on the old server) DEFAULT Suffix == "@dial.dsl.net", Strip-User-Name = Yes Hint = "UUNetDial" then I get nothing working. If I comment out those lines, I can authenticate, but with no extra info. (Which I assume is part of the problem.) If I comment the hints lines out, I get this in the output of radiusd rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dsl,dc=net, with filter (&(objectClass=dslnDialupUser)(uid=radius%dsl.net)) rlm_ldap: checking if remote access for radius%dsl.net is allowed by dslnRadiusProfile rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user radius%dsl.net authorized to use remote access if I leave those lines in the hints, it loses the uid, as shown below... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dsl,dc=net, with filter (&(objectClass=dslnDialupUser)(uid=_)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed So, what I need to know is, why does the hint lines make the uid get stripped? Im guessing the system somewhere else is also doing a strip, and so the double means no UID gets there? Is there any "radius for dummies"? I think Im getting lost as to which process happens when during the process,ie: when does the hints vs clients vs users files come into play. Thanks for any help! Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Autostart
Hi, > > I am rephrasing my question. I installed FreeRadius without rpm package on > > CentOS 4. I want FreeRadius to start automatically in background when System > > boots up. FreeRADIUS comes with some helpful example scripts etc. there is one for Redhat - which works on Fedora and should work on CentOS, simply copy the file (redhat/rc.radiusd-redhat) into the init.d directoryeg /etc/init.d/radiusd ..and then chkconfig radiusd on alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Autostart
Wasif wrote: > Hi all, > > I am rephrasing my question. I installed FreeRadius without rpm package on > CentOS 4. I want FreeRadius to start automatically in background when System > boots up. Edit /etc/rc.d/rc.local and add: /path/to/radiusd Or write an init script. There should be plenty in /etc/init.d to use for examples. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS , LDAP Authentication Problem
"Thato Molise" <[EMAIL PROTECTED]> wrote: > I dont have a problem authenticating RADIUS against LDAP but the major > problem is RADIUS is ignoring LDAP Expiration date for unix Accounts; > what causes this? The server only does what you told it to do. Did you tell it to use the LDAP expiration? If so, how? If not, why do you expect do so? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address accounted in Hex
Graeme Hinchliffe <[EMAIL PROTECTED]> wrote: > Is there a chance that on a fast loaded box that threads are > accessing the dictionary index which is being dynamically modified > (it would appear) and using non-valid memory for their lookup ? > resulting in the value being kept as octet and the symptoms we are > seeing? Once the dictionaries are loaded and installed, the *lookups* should be thread-safe. The non-thread-safe portion of the hash table is only for insertions or deletes. I'll send you a patch privately that *may* address it, but it's just a guess at this point. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Autostart
Wasif wrote: Hi all, I am rephrasing my question. I installed FreeRadius without rpm package on CentOS 4. I want FreeRadius to start automatically in background when System boots up. Thanks Wazb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Freeradius has no mechanism to do this on its own. You need to find out where the startup script for CentOS is. This is the place where you put all programs and scripts you want run automatically on boot. Almost every distrobution has one. When you find it, you just need to put the full path to your radius binary and any command line options. Chris Carver Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: an infamous LDAP-FreeRadius question
Actually, I only have the ldap -to- radius authentication when doing a radtest. There's no eap involved at that point. I think my issue of adding the EAP/802.1x stuff is where I'm hitting the snag. Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 [EMAIL PROTECTED] -Original Message- From: Zoltan Ori [mailto:[EMAIL PROTECTED] Sent: July 11, 2006 12:33 PM To: [EMAIL PROTECTED]; 'FreeRadius users mailing list' Subject: Re: an infamous LDAP-FreeRadius question On Tuesday 11 July 2006 10:10, Matt Ashfield wrote: > When I try to connect via 802.1x from a wireless client my Radius server > debgging looks like below. Obviously the TLS session is not being setup > correctly. I'm wondering about the private_key_password attribute. I just > set it to "whatever" but that needs to correspond to a user on the LDAP > server doesn't it? I'm not sure that's been set up. You might try not using an ldaps connection if your LDAP server allows it. Comment out all the TLS in the ldap section. This TLS/SSL connection to your LDAP server is a separate issue from 802.1x. That's just between the RADIUS server and LDAP. Once you've got everything else going, go back and work with the ldaps. The main thing is to change only one thing at a time. Then you'll know exactly what broke it and what didn't. I believe you had LDAP working before, didn't you? Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Autostart
Hi all, I am rephrasing my question. I installed FreeRadius without rpm package on CentOS 4. I want FreeRadius to start automatically in background when System boots up. Thanks Wazb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: an infamous LDAP-FreeRadius question
On Tuesday 11 July 2006 10:10, Matt Ashfield wrote: > When I try to connect via 802.1x from a wireless client my Radius server > debgging looks like below. Obviously the TLS session is not being setup > correctly. I'm wondering about the private_key_password attribute. I just > set it to "whatever" but that needs to correspond to a user on the LDAP > server doesn't it? I'm not sure that's been set up. You might try not using an ldaps connection if your LDAP server allows it. Comment out all the TLS in the ldap section. This TLS/SSL connection to your LDAP server is a separate issue from 802.1x. That's just between the RADIUS server and LDAP. Once you've got everything else going, go back and work with the ldaps. The main thing is to change only one thing at a time. Then you'll know exactly what broke it and what didn't. I believe you had LDAP working before, didn't you? Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log Accountig users......
Emerson wrote: Hi, people, i mounted a freeradius and a NAS running linux with hostapd + wpa_supliccant and DHCP. My users authing with wifi 802.1X, always it work. But i need to know if the radius log the IP of user in accounting.and save this on a table mysql ? Anyone make this work ? Thanks. Emerson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The IP will be in the radius start and stop packets which are logged by default to a flat text file by the detail module. You can have them logged to a mysql database, as I do, by modifying sql.conf to fit your needs and putting 'sql' in the accounting stanza of the radiusd.conf file. Chris Carver Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Log Accountig users......
Hi, people, i mounted a freeradius and a NAS running linux with hostapd + wpa_supliccant and DHCP. My users authing with wifi 802.1X, always it work. But i need to know if the radius log the IP of user in accounting.and save this on a table mysql ? Anyone make this work ? Thanks. Emerson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: an infamous LDAP-FreeRadius question
On Tuesday 11 July 2006 10:10, Matt Ashfield wrote: > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to ldapserver2:389, authentication 0 > rlm_ldap: setting TLS CACert File to > /etc/openldap/cacerts/20060206_ldap2_xxx_xxx.crt > rlm_ldap: setting TLS Require Cert to demand > rlm_ldap: starting TLS > rlm_ldap: ldap_start_tls_s() > rlm_ldap: could not start TLS Connect error > rlm_ldap: (re)connection attempt failed > rlm_ldap: search failed > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns fail for request 0 Apparently your LDAP server is not accepting TLS/SSL connections on port 389. You'll need to fix that. See the docs on rlm_ldap for specifying the correct port for your ldaps connection. I think it is as simple as 'port = 636'. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: an infamous LDAP-FreeRadius question
Matt Ashfield wrote:
I have LDAP configured and can do a cleartext radius authentication using
username/passwords (using radtest). What I'd like to do is take the next
step and do 802.1x authentication for my windows clients and I suppose
that's where I was hoping to find some cleancut instructions on this as I've
seen quite a bit of threads concerning this but as mentioned in my initial
email, they can be tough to follow.
It's really very simple. If you have users of the form:
dn: cn=username,ou=whatever,dc=domain,dc=com
objectClass: inetOrgPerson-or-whatever
cn: username
userPassword: theplaintextpass
...just set FR like so:
modules {
ldap {
server = foo
basedn = bar
# other attributes
password_attribute = userPassword
}
}
authorize {
preprocess
chap
mschap
eap
ldap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
Auth-Type CHAP {
chap
}
eap
}
If your userPassword are something like:
userPassword: {crypt}=3115313652
clearTextPass: {clear}theplaintext
..you would use
modules {
ldap {
password_header = "{clear}"
password_attribute = clearTextPass
}
}
...and so on.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: an infamous LDAP-FreeRadius question
Thanks for the links. I've seen a few before and have gone over them again this morning. I'm not sure where I have misconfigured something. When I try to connect via 802.1x from a wireless client my Radius server debgging looks like below. Obviously the TLS session is not being setup correctly. I'm wondering about the private_key_password attribute. I just set it to "whatever" but that needs to correspond to a user on the LDAP server doesn't it? I'm not sure that's been set up. Any helpful ideas/comments are greatly appreciated. Thanks! Matt [EMAIL PROTECTED] rad_recv: Access-Request packet from host x.x.x.201:6001, id=4, length=117 User-Name = "mda" NAS-IP-Address = x.x.x.201 Called-Station-Id = "00-02-2d-47-01-c4" Calling-Station-Id = "00-0e-35-36-48-f2" NAS-Identifier = "AP3WJD" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02040008016d6461 Message-Authenticator = 0x3453e92189034ccc69804159f1c574e6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "mda", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 4 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched DEFAULT at 153 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for mda radius_xlat: '(uid=mda)' radius_xlat: 'ou=xxx,dc=xxx,dc=xxx' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldapserver2:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/20060206_ldap2_xxx_xxx.crt rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Connect error rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 0 modcall: group authorize returns fail for request 0 Finished request 0 Going to the next request Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 [EMAIL PROTECTED] -Original Message- From: Zoltan Ori [mailto:[EMAIL PROTECTED] Sent: July 11, 2006 10:44 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: an infamous LDAP-FreeRadius question On Tuesday 11 July 2006 07:24, Matt Ashfield wrote: > I have LDAP configured and can do a cleartext radius authentication using > username/passwords (using radtest). What I'd like to do is take the next > step and do 802.1x authentication for my windows clients and I suppose > that's where I was hoping to find some cleancut instructions on this as > I've seen quite a bit of threads concerning this but as mentioned in my > initial email, they can be tough to follow. There is no shortage of information available. There are links to HOW TO on www.freeradius.org main page for 802.1x and EAP http://www.freeradiuos.org/doc/EAPTLS.pdf http://www.tldp.org/HOWTO/8021X-HOWTO/ Read the docs on rlm_eap which has LDAP info. That can be found in your sources as well as on the wiki. Also, see this document http://vuksan.com/linux/dot1x/802-1x-LDAP.html Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating user with FDS
Hariharan R wrote:
Hi all,
I am using FreeRADIUS1.1.1 with Fedora Directory server as a backend
data store.
Let us consider the scenario..
I have two servers, one is a mail server and another one is a proxy
server. Both servers are configured to use RADIUS+FDS for user
authentication. In FDS i have two organizational unit under root domain.
For Ex;
ou=mailusers,dc=example,dc=com
ou=proxyusers,dc=example,dc=com
In the 'raddb/radiusd.conf' file i specified the base domain as
(In LDAP module)
basedn = "dc=example,dc=com"
So whenever a client request comes to the RADIUS server it will look
for the username in FDS.
The problem is, how the RADIUS will identify that whether the request
is comes from the 'mail server' or from the 'proxy server'. Because for
mailserver users i have to look in the "ou=mailusers,dc=example,dc=com"
and for proxy users i have to look in the
"ou=proxyusers,dc=example,dc=com".
Try this:
/etc/raddb/huntgroups:
mailNAS-IP-Address == the.mail.server.ip
proxy NAS-IP-Address == the.proxy.server.ip
/etc/radiusd.conf:
modules {
ldap {
basedn = "ou=%{Huntgroup-Name},dc=example,dc=com"
}
}
How i can change the LDAP basedn according to the request.
Use any string expansion you like, as above.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: an infamous LDAP-FreeRadius question
On Tuesday 11 July 2006 07:24, Matt Ashfield wrote: > I have LDAP configured and can do a cleartext radius authentication using > username/passwords (using radtest). What I'd like to do is take the next > step and do 802.1x authentication for my windows clients and I suppose > that's where I was hoping to find some cleancut instructions on this as > I've seen quite a bit of threads concerning this but as mentioned in my > initial email, they can be tough to follow. There is no shortage of information available. There are links to HOW TO on www.freeradius.org main page for 802.1x and EAP http://www.freeradiuos.org/doc/EAPTLS.pdf http://www.tldp.org/HOWTO/8021X-HOWTO/ Read the docs on rlm_eap which has LDAP info. That can be found in your sources as well as on the wiki. Also, see this document http://vuksan.com/linux/dot1x/802-1x-LDAP.html Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ignoring unconnected handle 4..
Abul Monsur Mannan wrote: Hello FR users Can anyone here to light on me.My problem is -- [EMAIL PROTECTED] ~]# radtest rumen rumen1 localhost 1812 testing123 Sending Access-Request of id 66 to 127.0.0.1 port 1812 User-Name = "rumen" User-Password = "rumen1" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Re-sending Access-Request of id 66 to 127.0.0.1 port 1812 User-Name = "rumen" User-Password = "rumen1" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 -- In radiusd -x command promp-- rad_recv: Access-Request packet from host 127.0.0.1:32769, id=66, length=57 User-Name = "rumen" User-Password = "rumen1" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 23 modcall[authorize]: module "preprocess" returns ok for request 23 modcall[authorize]: module "chap" returns noop for request 23 modcall[authorize]: module "mschap" returns noop for request 23 rlm_realm: No '@' in User-Name = "rumen", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 23 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 23 radius_xlat: 'rumen' rlm_sql (sql): sql_set_user escaped user --> 'rumen' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'rumen' ORDER BY id' rlm_sql (sql): Ignoring unconnected handle 4.. rlm_sql (sql): Ignoring unconnected handle 3.. rlm_sql (sql): Ignoring unconnected handle 2.. rlm_sql (sql): Ignoring unconnected handle 1.. rlm_sql (sql): Ignoring unconnected handle 0.. rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0 modcall[authorize]: module "sql" returns fail for request 23 modcall: leaving group authorize (returns fail) for request 23 Finished request 23 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 23 ID 66 with timestamp 44b33d38 Nothing to do. Sleeping until we see a request. By the way ,I have username - rumen with password rumen1 in "radcheck" table in my mysql DB. Thank You in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html For some reason your radius server is completely unable to connect to your mysql database. Look at the information you have configured in your sql configuration file (myssql.conf, sql.conf, etc depending on which you use) and verify it is correct. Try using the command line mysql client to connect to the mysql database you specify to ensure it should work properly. mysql -u -p -h radius Chris Carver Network Engineer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ignoring unconnected handle 4..
Hello FR users Can anyone here to light on me.My problem is -- [EMAIL PROTECTED] ~]# radtest rumen rumen1 localhost 1812 testing123 Sending Access-Request of id 66 to 127.0.0.1 port 1812 User-Name = "rumen" User-Password = "rumen1" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Re-sending Access-Request of id 66 to 127.0.0.1 port 1812 User-Name = "rumen" User-Password = "rumen1" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 -- In radiusd -x command promp-- rad_recv: Access-Request packet from host 127.0.0.1:32769, id=66, length=57 User-Name = "rumen" User-Password = "rumen1" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 23 modcall[authorize]: module "preprocess" returns ok for request 23 modcall[authorize]: module "chap" returns noop for request 23 modcall[authorize]: module "mschap" returns noop for request 23 rlm_realm: No '@' in User-Name = "rumen", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 23 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 23 radius_xlat: 'rumen' rlm_sql (sql): sql_set_user escaped user --> 'rumen' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'rumen' ORDER BY id' rlm_sql (sql): Ignoring unconnected handle 4.. rlm_sql (sql): Ignoring unconnected handle 3.. rlm_sql (sql): Ignoring unconnected handle 2.. rlm_sql (sql): Ignoring unconnected handle 1.. rlm_sql (sql): Ignoring unconnected handle 0.. rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0 modcall[authorize]: module "sql" returns fail for request 23 modcall: leaving group authorize (returns fail) for request 23 Finished request 23 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 23 ID 66 with timestamp 44b33d38 Nothing to do. Sleeping until we see a request. By the way ,I have username - rumen with password rumen1 in "radcheck" table in my mysql DB. Thank You in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating user with FDS
Hi all, I am using FreeRADIUS1.1.1 with Fedora Directory server as a backend data store. Let us consider the scenario.. I have two servers, one is a mail server and another one is a proxy server. Both servers are configured to use RADIUS+FDS for user authentication. In FDS i have two organizational unit under root domain. For Ex; ou=mailusers,dc=example,dc=com ou=proxyusers,dc=example,dc=com In the 'raddb/radiusd.conf' file i specified the base domain as (In LDAP module) basedn = "dc=example,dc=com" So whenever a client request comes to the RADIUS server it will look for the username in FDS. The problem is, how the RADIUS will identify that whether the request is comes from the 'mail server' or from the 'proxy server'. Because for mailserver users i have to look in the "ou=mailusers,dc=example,dc=com" and for proxy users i have to look in the "ou=proxyusers,dc=example,dc=com". How i can change the LDAP basedn according to the request. Any one pls help me to solve this problem. If u have some other method to achieve my objective pls let me know. --- Regards, Hariharan.R - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS , LDAP Authentication Problem
Hi all, I'm currently running redhat linux 3 ES with kernel-2.4.21-27.EL openldap-2.0.27-17, and freeradius-1.0.1-1.RHEL3. I dont have a problem authenticating RADIUS against LDAP but the major problem is RADIUS is ignoring LDAP Expiration date for unix Accounts; what causes this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: an infamous LDAP-FreeRadius question
I have LDAP configured and can do a cleartext radius authentication using username/passwords (using radtest). What I'd like to do is take the next step and do 802.1x authentication for my windows clients and I suppose that's where I was hoping to find some cleancut instructions on this as I've seen quite a bit of threads concerning this but as mentioned in my initial email, they can be tough to follow. Thanks Matt Ashfield [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: July 10, 2006 4:51 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: an infamous LDAP-FreeRadius question "Matt Ashfield" <[EMAIL PROTECTED]> wrote: > What I didn't see (and I apologize if it's there) is if anyone > has a HowTo or something similar on how to configure Freeradius for > authentication against LDAP (not active directory) which has usernames and > password stored on it in cleartext. Presumably I'd be using PEAP for this. The O'Reilly LDAP book has a good chapter on this. Other than that, just configure LDAP. It should read the passwords automatically (see ldap.attrmap). If you can get CHAP to work against LDAP, PEAP should follow immediately. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Framed-IP-Address accounted in Hex
On 7 Jul 2006, at 17:46, Alan DeKok wrote: Are dictionaries loaded each time a child is started? or just once and then kept in memory? The server doesn't start any children. The dictionaries are loaded once, and cached as long as it's running. Hi, Have been digging through the source for FreeRADIUS 1.1.2. As I am understanding it from my quick dig through. value_pair defaults to octets as the datatype for a given attribute, this is then looked up a bit further on and set to the correct type via the dictionary. Dict.c refers to a function in lib/hash.c and at the top of this source file is the line : "Non-thread-safe split-ordered hash table" Is there a chance that on a fast loaded box that threads are accessing the dictionary index which is being dynamically modified (it would appear) and using non-valid memory for their lookup ? resulting in the value being kept as octet and the symptoms we are seeing? The most common under heavy load was session ID but we are still seeing the IP address being set as a hex value also, these cases have only been spotted due to the error logging of postgres or the errors it has generated in sub-systems working on the accounting data. I have reduced the number of updates per hour and these problems have almost completely vanished. Thanks Graeme - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
